Wednesday, March 22, 2017

Stolen Credit Cards for Sale Via CryptoCheck Payments

A member of a clear web hacker forum is hosting an active website advertising services.  The website provides links to stolen credit/debit card databases from banks around the world.  This individual is linked to an infamous Ukrainian hacker (indicating actor's popularity) who has long specialized in the sale of stolen credit card information.  Services within this website can be purchased via Bitcoin (BTC), Western Union, Money Gram, and by a service called CyptoCheck.  CryptoCheck is a Russian payment service, which is being researched further.

Wapack Labs has cataloged and reported extensively on carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

Monday, March 20, 2017

Circling the Wagons Against Apache Struts2 0-Day

Apache Struts is an open source framework for creating Java applications. A new Apache Struts 0-day is currently being exploited in the wild. Multiple variants of attack code, as well as pastes of Proof of Concept (PoC) code, have already been discovered in open sources. The Apache Struts2 vulnerability affects numerous industries and potentially worldwide critical infrastructure. We assess with high confidence that the Apache Struts2 vulnerability will continue to be heavily exploited until network systems are patched. Members are highly encouraged to implement countermeasures and install patches as soon as possible.

Wapack Labs has cataloged and reported extensively on Apache Struts in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Friday, March 17, 2017

ATM Access For Sale in Spanish Underground

An underground seller is marketing ATM maintenance manuals, access keys/codes, and private software for a major ATM manufacturer on an underground Spanish language forum. The seller claims to be an ATM mechanic, working in Mexico. This ATM information could compromise several, major Mexican banks. The ATM manufacturer has a presence in over 130 countries and provides hardware / software for banking and retail systems.

Wapack Labs has cataloged and reported on ATM hacking in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Tuesday, March 14, 2017

AlphaBay: Avenue on the “new” Silk Road?

Carding forum AlphaBay’s (AB) rules, posted on Twitter, have sparked debate in the underground that the forum is controlled by malicious actors in Russia. Rumors of AB being linked to Russian organized crime are not new, but rules prohibiting malware that targets Russian citizens or the sale of financial information on Russian citizens lends credence to such claims. Russian carding forums routinely include rules of this type to avoid drawing the attention of Russian authorities. AB’s adoption of such rules can only help them in their efforts to become the dominant underground marketplace for illicit goods and activities online. 

Wapack Labs has cataloged and extensively reported on Russian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

WWW.WAPACKLABS.COM

Friday, March 10, 2017

Nigerian Passport Fraud

A known Nigerian keylogger and threat actor was observed was observed on 27 February 2017 sending a phishing email with a United States, Citizenship and Immigration Services (USCIS) and U.S. Embassy lure. The phishing email referenced recent immigration executive orders by President Trump. The email attempted to lure the target into sending the threat actor a copy of his passport presumably to be used as part of the threat actor’s fraudulent activities. Fraudulent use of any legitimate passport can result in financial fraud, terrorist activity, and a whole host of other illegal activities.

Wapack Labs has cataloged and extensively reported on keylogger operations in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The Long Game: PLA Cyber Actor & Mission

A continued review of academic work by members of the PLA revealed certain units publishing an increasing amount of papers on cyber security. One of these units was examined in detail to identify its personnel, expertise, location, facilities, and leadership. The results of this examination showed:
  • The name and location of the unit was confirmed.
  • Personnel identified as authors of computer and network security articles.
  • Increased spending on unit facilities.
Wapack Labs has reported extensively on Chinese cyber actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Thursday, March 9, 2017

UK Based Carder Boasts Decades of Experience

Wapack Labs Analyst is following an established carder who lives in the northwest region of England. He actively posts on various hacker/carder forums offering card information for values up to 5000 (£). His confederate, who works in an unknown bank in Great Britain, assists him with money transfers. This carder offers an instant cash out and will split the profits 50/50. He has been active on carder forums since 2015 - while boasting 20+ years of carding experience.

Wapack Labs has cataloged and extensively reported on carders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.


TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-044-2017
COUNTRIES: US, GB
INDUSTRIES: Financial
REPORT DATE: 20170307

Satan RaaS Becomes an Attractive Plan-B

Satan Ransomware-as-a-Service (RaaS) is similar to previous RaaS platforms but employs far superior default obfuscation and evasion techniques. Most RaaS payloads are highly detectable and require the use of a “crypter,” while Satan provides XoR functions to encode and other means of delivering/proxying fully undetectable (FUD) payloads.

With Petya, Mischa, and Shark RaaS platforms no longer in underground operation, Satan is the most popular and free RaaS platform; making it very attractive to black hat hackers. Several members are utilizing Satan RaaS and reporting pending victim payments...READ MORE

Wapack Labs has extensively reported on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: IA-009-2017
COUNTRIES: All
INDUSTRIES: All 
REPORT DATE: 20170307

Wednesday, March 8, 2017

Threat Day Q-1 - Threat Intelligence University (TIU)

We decided to try something NEW for 2017 and use some of our Threat Days for learning!

So next Tuesday, March 14, we will have our first Threat Intelligence University (TIU) Threat Day. Chris Hall and Patrick Maroney, Wapack Labs Principle Engineers, have put together an agenda that includes the first three modules of our Threat Intelligence University courses and an introduction to our NEW Cyber Threat Analysis Center (CTAC). Take a look at our agenda. 

Click here for more information or call us at 1-844-4-WAPACK (1-844-492-7225)

Tuesday, March 7, 2017

Sanctioned ANO PO KSI: Surveillance and Ballot Reading


The Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems (ANO PO KSI) was sanctioned by the U.S. in response to Russian interference in the 2016 U.S. Presidential election. The company works with the Russian Defense Ministry, FSB, and other government organizations. They produce election ballot and census form scanners, and aero-surveillance cameras...READ MORE

Wapack Labs has extensively reported on election interference in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: GREEN
ACTOR TYPE: (V)
SERIAL: TAR-17
COUNTRIES: RU, U.S.
INDUSTRIES: Military, Political
REPORT DATE: 20170306

Russian Cyber-Influence in the 2017 European Elections

Wapack Labs assess with high confidence that Russia is behind influence campaigns to support right-wing nationalist candidates in Dutch, French, and German national elections who are campaigning on anti-immigration platforms, reducing participation in the European Union (EU) and NATO. The nationalist parties likely have little chance of winning a majority (medium confidence) in parliamentary elections or the second round of the French presidency; however, gaining seats provides them the opportunity to influence policy in a coalition government.

We assess, with medium confidence, that Russian cyber actors will conduct espionage and media manipulation operations to influence the outcome of each country’s election, but will modify the previous Tactics, Techniques, and Procedures (TTPs) used against the U.S. in 2016. Russian threat actors will dedicate additional resources to improving operational security to avoid discovery or blowback, and will avoid mimicking the tactics used in Ukraine and Montenegro...READ MORE

Wapack Labs has extensively reported on election interference in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (VI)
SERIAL: PIR-00x-2017
COUNTRIES: Europe, NL, FR, DE, RU
INDUSTRIES: Gov, Political
REPORT DATE: 20170303

Monday, March 6, 2017

Hacking Community Re-directs Novice Forums

Wapack Labs Analysts are providing an update regarding an underground carding, malware, and skimming community run by hackers. One of the members is known for his involvement in PoS (Point of Sales) breaches of several retail chains. Our analysts recently observed this community advertising in novice carder forums, which they had not done before. Their websites all re-direct buyers to a different carding shop which are copies of domains. Some individuals in the underground carding community consider these sites to be compromised by law enforcement. Pushing their capabilities to a wider, even if less experienced audience, may trigger a rise in PoS attacks.

Wapack Labs has cataloged and extensively reported on underground communities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Get Alerts as the Wapack Cyber Technical Reports are Posted. Become a Subscriber, Click here and Get 14 days for 99 cents!

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-043-2017
COUNTRIES: UA, RU
INDUSTRIES: All
REPORT DATE: 20170302

Friday, March 3, 2017

The Amateur from Algeria

On March, 1, 2017 Wapack Labs Researcher observed a hacker providing malicious tools on various Arabic, Russian, and English hack-forums. He was observed selling gift cards for Bitcoin (BTC), promoting phishing scams, and posting website defacements. The hacker has the necessary skills to create basic exploits. The fact that his malicious software is free, may speak to its quality - or people’s trust in a novice...READ MORE

Wapack Labs has extensively reported on carders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-042-2017
COUNTRIES: DZ
INDUSTRIES: Financial
REPORT DATE: 20170301

Wednesday, March 1, 2017

The Reemergence of a Threat Actor: Six More Weeks of DDoS

Wapack Labs research is observing the reemergence of a known threat actor. After a year-long hiatus, he is displaying habitual activity online. The threat actor is one of the leaders of an established Russian based hacking group who sells their DDoS-as-a-service. In the past, he advertised DDoS services in a number of English, Spanish, and Russian forums. Increased DDoS activity from this group is likely in the near future.

When dealing with high-end threat actors, it is usually safe to take them at their word. This allows us to assess, with medium to high confidence, that this group will resume offering DDoS services, and that this activity will likely result in an increase in DDoS attacks against a wide range of organizations worldwide. We have seen no indications that any Red Sky Alliance members are being targeted at this time, but any organization that has not already done so should verify their ability to mitigate the effects of a DDoS attack either with their own capabilities or those of a third party...READ MORE

Wapack Labs has cataloged and extensively reported on DDoS attackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: IA-006-2017
COUNTRIES: RU
INDUSTRIES: All
REPORT DATE: 20170301

Tuesday, February 28, 2017

Keylogger Genealogy: The Grandson of Hawkeye

Gear Informer is the successor to the iSpy Keylogger, which was developed as a replacement for the Hawkeye keylogger. This family of keyloggers is one of the most prevalent in Wapack Labs collections. Daily Show threat actors were quick to adopt it to their maritime shipping campaigns and provided Wapack Labs with our first observed sample...READ MORE

Wapack Labs has extensively reported on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR: N/A
SERIAL: TIR-002-2017
COUNTRIES: All
INDUSTRIES: All
REPORT DATE: 20170228